Skip to content

[Feature] Allow custom output file path for Kerberos ticket and NTLM hash outputs in auth command #352

New issue
New issue
Open
Open
[Feature] Allow custom output file path for Kerberos ticket and NTLM hash outputs in auth command#352
Labels
enhancementNew feature or request
@RazGavriel

Description

@RazGavriel
RazGavriel
opened on Feb 3, 2026

✨ Feature Description

when using the auth command with options such as -kirbi, Certipy always saves the output files using a fixed filename in the current working directory (e.g. administrator.kirbi). There is no option to define a custom output file name or path.

for example:

┌──(kali㉿kali)-[~/certipy-ad-outputs]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 1.2.3.4 -kirbi                                                  Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@domain.lab'
[*]     SAN URL SID: 'S-1-5-21-1945827364-2874019562-903817455-500'
[*]     Security Extension SID: 'S-1-5-21-1945827364-2874019562-903817455-500'
[*] Using principal: 'administrator@domain.lab'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving Kirbi file to 'administrator.kirbi'
[*] Wrote Kirbi file to 'administrator.kirbi'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@domain.lab': aad3b435b51404eeaad3b435b51404ee:57d485ef30c23530f2a8bc6785d48e44

Solution:

The issue can be solved by adding optional CLI arguments that allow users to explicitly define the desired output path for Kerberos and NTLM artifacts. For example, introducing flags such as --ticket-out and --ntlm-out would let Certipy write the generated files directly to a user-specified location. Alternatively, a single option such as --creds-out could be used to store all authentication artifacts in one file or directory if that approach is simpler to implement.

For instance, a user could run certipy-ad auth -pfx administrator.pfx -dc-ip 172.28.166.50 -kirbi --ticket-out /home/kali/tickets/administrator.kirbi, ensuring the Kerberos ticket is saved exactly in the wanted path. Likewise, using --ntlm-out /home/kali/hashes/administrator.ntlm (or --creds-out /home/kali/creds.out) would provide control over where NTLM hashes and related credentials are stored

🚀 Why is this feature important?

It enables better automation and output management when running Certipy at scale or in scripted workflows.
It also prevents file overwrites and keeps Kerberos/NTLM artifacts organized in engagements.

🔄 Alternatives or Workarounds

No response

📎 Additional Context or Mockups

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions